NoSuchBeanDefinitionException: No qualifying bean of type 'org.springframework.security.config.annotation.web.builders.HttpSecurity' available #258
Labels
Comments
|
And here's the full stack trace: |
|
Thanks for the question!
|
|
|
Since you're trying with a corporate production org, you may need to create your Authorization Server and you will need to get API Access Manager as a Product. Try out your code with the developer account org and it should work. See signup instructions at developer.okta.com. Or, try out the Okta CLI tool. |
|
@arvindkrishnakumar-okta - I am able to get an access token from the issuer I have provided without having to set up a custom authorization server in a separate flow. I am trying to use that same issuer now for validating the token. Are you saying I have to have a separate Okta Authorization server setup just for validation? Also if I can hit https://slackcorp.okta.com/.well-known/openid-configuration is that sufficient? |
|
Accessing |
|
@arvindkrishnakumar-okta - Okay, I checked the token and the
And should be in this format:
Is that still the case? |
Yes. Note that for root issuer, Okta Spring boot SDK (versions 2.0.0+) will attempt to validate the token remotely by making an API call to the introspect endpoint (https://slackcorp.okta.com/oauth2/v1/introspect). |
|
@arvindkrishnakumar-okta - So if it's trying to validate the token remotely, is it still reasonable to expect to be able to use this issuer or should I be trying to setup that custom authorization server? I'm unclear on whether using The original issue I raised was about another error that occurred during runtime, related to a missing bean. in that case I had the issuer set to I really appreciate all your help by the way! 🙇♀️ |
|
I'd recommend a read of https://developer.okta.com/docs/concepts/auth-servers/#which-authorization-server-should-you-use |
|
@arvindkrishnakumar-okta Read the documentation, can you confirm:
This means that even with |
|
Yes, thats accurate.
… On Mar 11, 2021, at 10:09 AM, Sarah Jiang ***@***.***> wrote:
This message originated outside your organization.
@arvindkrishnakumar-okta Read the documentation, can you confirm:
Org Authorization Server
Every Okta org comes with a built-in authorization server called the Org Authorization Server. The base URL for the Org Authorization Server is https://${yourOktaOrg}.
You use the Org Authorization Server to perform SSO with Okta for your OpenID Connect apps or to get an access token for the Okta APIs. You can't customize this authorization server with regards to audience, claims, policies, or scopes. Additionally, the resulting access token's issuer is https://${yourOktaOrg}, which indicates that only Okta can consume or validate it. The access token can't be used or validated by your own applications.
This means that even with okta-spring-boot-starter I cannot validate the token I have? I seems to suggest that Okta can validate the issuer? I'm try to request that Okta validate the issuer.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
Hi @srajiang! You should be able to validate the access token as an "opaque" token instead of a JWT. However, as @arvindkrishnakumar-okta mentioned usually for API use cases where you want to validate the token locally (i.e. a JWT) you would want to use a different Authorization Server that is setup for this. You can configure Spring Security to use opaque tokens by doing something like: import com.okta.spring.boot.oauth.Okta;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// allow anonymous access to the root page
.antMatchers("/").permitAll() // for pure API use cases you can remove this
// all other requests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer().opaqueToken();
// (optional) Send a 401 message to the browser (w/o this, you'll see a blank page)
Okta.configureResourceServer401ResponseBody(http);
}
}Taking a step back, though, how are you getting your access token (we might be able to suggest an alternative there, so you can avoid using opaque tokens) |
|
@bdemers Thanks for chiming in! I'll answer the stepping back question first, since it seems like we might be able to avoid using opaque tokens. Might be overdoing it on the detail here, but I thought I'd include everything just in case: I have a totally separate application frontend (React / nodejs) that has the @okta-auth-js and @okta-react modules installed. I use the Here are the properties I have setup for that frontend app: So I guess with the properties configured this way, I'm directing the okta sdk to use the root issuer(?) for this first flow to get an access token. Should I not be doing that? |
|
@bdemers Keeping all other things about my Spring environment setup constant (i.e. issuer as |
|
@srajiang you're missing to set the client secret above. You need the client secret to be able to validate opaque token. |
|
Closing this, feel free to reopen in case there are followup questions. |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
👋 Hello, I was directed to submit this as an issue after troubleshooting with Lijia on the Dev Support team. I am hoping this is an environment / configuration issue on my end (I am new to Java / Spring) and not a bug, so I've provided details below on what I have set up as well for context.
I'm submitting a
Background info
I am writing an API and my goal is to be able to validate the access token (JWT) passed to it from a client application with the help of
okta-spring-boot-starterand Okta as the default authorization server. This is a Spring Boot Application (backend). The AP client sending the access tokens as part ofBeareris isolated and gets its tokens separately via the Authorization Code flow with PCKE.Issue
With
okta-spring-boot-starteras a dependency, the application is failing to start with this error:OIDC App Details
Application Properties
Here is my
application.propertiesfile:When I run this with
https://{issuer domain}/oauth2/defaultas described in the instructions, the application fails earlier in the run with this error.which leads me to believe that the properties I have set up are correct. I'm under the impression that I should be able to use the same value for
issueras what I see in the access token and that value also matches what I currently have forokta.oauth2.issue. Additionally https://{ issuer domain }/.well-known/openid-configuration is accessible via curl and in the browser and returns the application meta data I expect.I have omitted the
client-secretfield as my application uses PKCE, and based on this it seems like it's not necessary anymore.Dependencies
Very straightforward as this is a test project.
pom.xml
WebSecurityConfigurerAdapter
Also following instructions, I have set up this class:
com.example.demo.config.WebSecurityConfigApplication
Expected behavior
I expect that the application should build and run successfully without errors, given the basic configuration I have outlined above.
What went wrong?
An exception is thrown as the required
HttpSecuritybean is not available. I think I have followed the setup instructions for the SDK, but it's possible I have misconfigured something.Steps to reproduce
application.propertiesmvn clean installSDK Version
2.0.1
The text was updated successfully, but these errors were encountered: